What are the six lawful bases under UK GDPR?

The six lawful bases under Article 6 UK GDPR are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Every processing activity must be documented against one of these bases before processing begins.

Can you switch lawful basis after you have started processing?

No. The ICO is clear that you cannot swap to a different lawful basis retrospectively. You must identify the appropriate basis before processing begins and document it. If the original basis was consent and individuals withdraw consent, you cannot then rely on legitimate interests to continue processing the same data for the same purpose.

What is a Legitimate Interests Assessment?

A Legitimate Interests Assessment (LIA) is a three-part test required when relying on Article 6(1)(f) legitimate interests as the lawful basis. It assesses whether the interest is legitimate, whether the processing is necessary, and whether the interest is overridden by the individual's rights and interests. It must be documented and retained.

UK GDPR fundamentals · Article 6

Lawful basis for processing personal data

Updated April 2026 UK GDPR Article 6 ICO aligned

Every processing activity must have a documented lawful basis under Article 6 of UK GDPR before processing begins. Choosing the wrong basis — or failing to document the chosen basis — is one of the most common compliance failures identified in ICO investigations. The basis cannot be changed retrospectively, and different activities may require different bases.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

The six lawful bases

Article 6(1) of UK GDPR sets out six lawful bases for processing personal data. Every processing activity — every category of data you collect, from every source, for every purpose — must be mapped to one of these six. The mapping must be documented, ideally in your Article 30 Record of Processing Activities.

Consent is valid only where it is freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent as a condition of a contract or service are not valid. Individuals must be able to withdraw consent as easily as they gave it, and withdrawal must not disadvantage them. Consent must be evidenced — a record of when consent was given, by whom, to what, and how must be retained.

The ICO advises that consent is often not the most appropriate basis, and that organisations default to it when another basis would be more appropriate and more durable. If consent is withdrawn, processing must stop — whereas other bases (such as contract or legal obligation) are not affected by individual preference.

Source: UK GDPR Articles 6(1)(a), 7; ICO consent guidance

Contract — Article 6(1)(b)

Processing is lawful where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract. The key word is necessary — processing is only covered by this basis where it is genuinely required to perform the contract. Processing personal data for marketing to customers is not necessary to perform a sales contract.

Legal obligation — Article 6(1)(c)

Processing is lawful where it is necessary for compliance with a legal obligation to which the controller is subject. This basis covers processing required by UK law — for example, employer PAYE obligations require processing employee financial data; MLR 2017 requires accountants and solicitors to process CDD data. The specific legal obligation must be identified and documented.

Vital interests — Article 6(1)(d)

Processing is lawful where it is necessary to protect the vital interests of the data subject or another person. This basis applies in life-or-death situations and is rarely relevant outside healthcare and emergency services contexts. The ICO indicates this basis should be used only where no other basis applies.

Public task — Article 6(1)(e)

Processing is lawful where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is primarily for public authorities and bodies with statutory functions. Most private sector organisations will not use this basis.

Legitimate interests — Article 6(1)(f)

Legitimate interests is the most flexible basis and is often the most appropriate for private sector organisations. Processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Reliance on legitimate interests requires a three-part Legitimate Interests Assessment (LIA): first, establish that the interest is genuine and not trivial; second, establish that the processing is necessary to achieve that interest; third, balance the interest against the data subject's rights, considering whether they would reasonably expect the processing and whether it could cause harm. The LIA must be documented and retained.

Source: UK GDPR Article 6(1)(f); ICO legitimate interests guidance; DUAA 2025 (expanded recognised legitimate interests list)

Special category data — Article 9

Special category personal data attracts additional obligations under Article 9. The categories are: health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data, genetic data, data concerning sexual orientation, and criminal convictions and offences.

Processing any of these requires both an Article 6 lawful basis and a separate Article 9(2) condition, documented independently. The most commonly applicable Article 9 conditions for private organisations are:

Explicit consent — Article 9(2)(a)
Employment and social security obligations authorised by law — Article 9(2)(b)
Vital interests where the data subject cannot give consent — Article 9(2)(c)
Legal claims — Article 9(2)(f)

Both the Article 6 basis and the Article 9(2) condition must be documented separately in the ROPA for each processing activity involving special category data.

Source: UK GDPR Articles 9 and 10

Documenting your lawful basis

The lawful basis for each processing activity must be documented before processing begins and must be reflected in the privacy notice served on data subjects. The ICO requires transparency — data subjects must be told which basis is relied on for each processing purpose. A privacy notice that does not identify the lawful basis for each processing activity is likely to be non-compliant with the transparency requirements of Articles 13 and 14.

The Article 30 ROPA is the natural home for lawful basis documentation. Each processing activity listed in the ROPA should record the lawful basis relied upon, the purpose of the processing, the categories of data, the retention period, and the recipients. Where legitimate interests is relied upon, the LIA should be referenced from the ROPA and retained separately.

Record this. Document the lawful basis for every processing activity in your ROPA before processing begins. Retain every LIA. If you rely on consent, retain the consent record. The ICO will ask for these documents if it investigates — they cannot be reconstructed after the fact.

Not legal advice. This guide is derived from UK GDPR Article 6 and ICO published guidance as at April 2026. The appropriate lawful basis depends on the specific processing activity and its context. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.